id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29602	Jinja2's forceescape filter doesn't work on Django's safe strings	no	nobody	"Not sure if this is a Django bug, jinja bug, or something I need to change for upgrading to Django 2.0, but since it was a Django commit causes it, I'm reporting here first.

I recently upgraded to Django 2.0, and shortly after had a complaint from one of our users about a page not displaying correctly. I tracked down the issue to a usage of Jinja's `forceescape` filter. 

My usage is that we're displaying a preview of an email that will be sent out, and we do this by using the `srcdoc` attribute of iframe, so our code looks like:

{{{
<iframe srcdoc=""{{ rendered_email | forceescape }}""></iframe>
}}}

The `rendered_email` variable is from a call to `get_template(template_name).render(ctx)`, which returns a `SafeString` object. Which makes sense since a rendered template should be html. And since I want to  display the email inside of html again, it needs to be re-escape, logically with the `forceescape` filter.

However, a change from [https://code.djangoproject.com/ticket/27795 this ticket]/[https://github.com/django/django/commit/ccfd1295f986cdf628d774937d0b38a14584721f#diff-58d9f7a5099962dc591a93a47a671b72 this commit] causes the `forceescape` filter to fail on the jinja side. `forcescape` calls `str()` on it's argument to remove the ""safety"", then re-escapes it, however, the aforementioned commit allow `SafeString` to bypass the assumption that jinja makes when calling `str()`.
"	Bug	new	Utilities	2.0	Normal			Claude Paroz	Accepted	0	0	0	0	0	0